[unpackme] Armadillo v6.0.0 Custom Build

[acidflash]

Here is the latest and 'greatest' Armadillo with all the toys used to protect my unpackme.

PM or Post valid dumps, I wish to know how hard this is over v5

-acid

Working key to unlock secure sections, only use if your skills can't handle them

TUTS4YOU
000016-DJFTC0-8C0BU3-Z7WHXX-P4WZC7-5KP8N5-VRZFNE-8C4JJR-1F7VNN-HKQUPK

UnPackMe_Armadillo_v6.rar

Edited July 12, 2008 by acidflash

[Fungus]

ArmInLine nano handler no longer works on this.

CopyMemII/Nano handler is different.

Shouldn't be too hard to do, I unpacked it so far, but can't fix nano's cause I dunno how to do them by hand.

[acidflash]

Here is a InstantDemo of how my test app should work when properly unpacked

armadillo.rar

[stephenteh]

haven't look into the unpackme but I would say this v6 has no difference at all compared to v5...in term of difficulty of unpacking it...

Edited July 11, 2008 by stephenteh

[trickyboy]

haven't look into the unpackme but I would say this v6 has no difference at all compared to v5...in term difficulty of unpacking it...

yeah, stephenteh is right. Nothing is special in new version. ArmInline worked fine.

After Unpacked, just fix check key of Armadillo. (very simple, like as old version)

http://rapidshare.com/files/128951638/Dumped_fix5.rar

[Fungus]

Hrm... ArmInLine just hangs forever here... weird.

:EDIT:

Ok, I had to kill the Parent Process first or it would hang, hehehe.

Unpacked.rar

Unpacked =]

Edited July 11, 2008 by Fungus

[acidflash]

Hrm... ArmInLine just hangs forever here... weird.

:EDIT:

Ok, I had to kill the Parent Process first or it would hang, hehehe.

Unpacked.rar

Unpacked =]

unpacked and running in trial mode... Not defeated.. If you did it correctly you would have locked sections w/ code thats missing from your dump..

Please watch the movie I posted above to see how it should work.

-acid

[LCF-AT]

Hello,

do you mean the trial mode in the unpacked file?There is no trial mode anymore.

It just checks some variables.Just need to patch this routine at SUB ESP,400

to

inc eax

ret

and all is running without nag and forever.

greetz

[Fungus]

You mean it has secured sections?

There's no way I know of to defeat that without proper key.

If you give me valid key I will unpack it fully. =]

Edited July 11, 2008 by Fungus

[acidflash]

You mean it has secured sections?

There's no way I know of to defeat that without proper key.

If you give me valid key I will unpack it fully. =]

Yes, SECURED_A & SECURED_B need to be unlocked, thats part of the challange. The msg box's are to prove the section is unlocked, not at all ment to be NAGS.... Think of them as "good job" pats

I'll also post a working key in a few days... I really wish people to own this.

-acid

Edited July 12, 2008 by acidflash

[Fungus]

Well I have tried to defeat secured sections many times without a key, and just have not found any way to do it. If someone knows a way, I and many others would love to know how to do so.

[acidflash]

Well I have tried to defeat secured sections many times without a key, and just have not found any way to do it. If someone knows a way, I and many others would love to know how to do so.

Might want to look at my first post for this unpackme, i just edited it :>

[trickyboy]

Well I have tried to defeat secured sections many times without a key, and just have not found any way to do it. If someone knows a way, I and many others would love to know how to do so.

Might want to look at my first post for this unpackme, i just edited it :>

I thinks the problem like as password of winrar. When you have password for extracting files, everything is simple. If don't have it, you must bruteforce. But it's impossible with complex password.

[Apuromafo]

in http://reversengineering.wordpress.com/

say this

is a tutorial from rea for solve this armadillo 6

nice tut from Why not bar but the language of this tut is not en !

http://rapidshare.com/files/129417421/MUP_Armadillo_v600.rar

http://rapidshare.com/files/129420055/UnPa...rmadillo_v6.rar

http://rapidshare.com/files/129421376/File...ed_And_more.rar

maybe is better that others unpack because include the inyection of dll and key etc :S

is in vietnamiese

[XytroX]

hi!

i've unpacked it fully (including secured_a & secured_ with the key.

well, the protected exe doesnt work on my pc (it shows an error instead of the second "congratulations..."-messagebox and shuts down) but the deprotected one works fine.

as i trace through the copymem-routine, i figured out that the secured code is already in the coded pages.

that means the secured parts are not inserted while decoding the single pages but when the child-process is fired up (i think)

i havent worked on armadillo for a long time and to be honest: since this unpackme ive never heared of secured code at all

anyone knows where the protected code is injected or has a hint where to start searching for this part of protection?

XytroX

[Fungus]

I have analyzed it before, so I take this from another post I made elsewhere.

This is from an Arma 5.xx protected app. Basic example of the code which writes the secured sections to the process memory. The table is left incomplete unless you have a valid key.

If you get anywhere with it , please share =]

Secured Section Table (incomplete)00 00 00 00 00 00 00 00
7B EC 03 00 C1 D1 C1 9A
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
F0 E8 03 00 C2 3E FD D1
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00Secured Section Struct {uLong Offset Destination Address; uLong Decrypt Key}003C6CEC			  C705 28413D00 A44B3D00			 MOV	 DWORD PTR DS:[3D4128], 3D4BA4					 ; start of secured sections
003C6CF6			  A1 889F3D00						MOV	 EAX, DWORD PTR DS:[3D9F88]
003C6CFB			  8B80 70050000					  MOV	 EAX, DWORD PTR DS:[EAX+570]
003C6D01			  8985 18DBFFFF					  MOV	 DWORD PTR SS:[EBP-24E8], EAX				   ; table pointer
003C6D07			  83A5 44DBFFFF 00				   AND	 DWORD PTR SS:[EBP-24BC], 0
003C6D0E			  EB 0D							  JMP	 SHORT 003C6D1D
003C6D10			  8B85 44DBFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-24BC]				   ; secured section number
003C6D16			  40								 INC	 EAX
003C6D17			  8985 44DBFFFF					  MOV	 DWORD PTR SS:[EBP-24BC], EAX				   ; secured section number
003C6D1D			  A1 889F3D00						MOV	 EAX, DWORD PTR DS:[3D9F88]
003C6D22			  66:8B80 6C050000				   MOV	 AX, WORD PTR DS:[EAX+56C]						 ; number of secured sections
003C6D29			  66:8985 D4ACFFFF				   MOV	 WORD PTR SS:[EBP+FFFFACD4], AX
003C6D30			  0FB785 D4ACFFFF					MOVZX   EAX, WORD PTR SS:[EBP+FFFFACD4]
003C6D37			  3985 44DBFFFF					  CMP	 DWORD PTR SS:[EBP-24BC], EAX				   ; check if all secured sections decrypted
003C6D3D			  0F8D EC010000					  JGE	 003C6F2F
003C6D43			  8B85 18DBFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-24E8]				   ; destination of secured section
003C6D49			  8B00							   MOV	 EAX, DWORD PTR DS:[EAX]
003C6D4B			  8985 ECC3FFFF					  MOV	 DWORD PTR SS:[EBP-3C14], EAX
003C6D51			  8B85 18DBFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-24E8]
003C6D57			  83C0 04							ADD	 EAX, 4
003C6D5A			  8985 18DBFFFF					  MOV	 DWORD PTR SS:[EBP-24E8], EAX				   ; decryption key
003C6D60			  8B85 18DBFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-24E8]
003C6D66			  8B00							   MOV	 EAX, DWORD PTR DS:[EAX]
003C6D68			  8985 F0C3FFFF					  MOV	 DWORD PTR SS:[EBP-3C10], EAX
003C6D6E			  8B85 18DBFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-24E8]
003C6D74			  83C0 04							ADD	 EAX, 4
003C6D77			  8985 18DBFFFF					  MOV	 DWORD PTR SS:[EBP-24E8], EAX				   ; address of secured section (fetch)
003C6D7D			  A1 94203E00						MOV	 EAX, DWORD PTR DS:[3E2094]
003C6D82			  66:8B00							MOV	 AX, WORD PTR DS:[EAX]
003C6D85			  66:8985 F4C3FFFF				   MOV	 WORD PTR SS:[EBP-3C0C], AX
003C6D8C			  A1 94203E00						MOV	 EAX, DWORD PTR DS:[3E2094]
003C6D91			  40								 INC	 EAX
003C6D92			  40								 INC	 EAX
003C6D93			  A3 94203E00						MOV	 DWORD PTR DS:[3E2094], EAX						; length of secured section
003C6D98			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]
003C6D9F			  50								 PUSH	EAX
003C6DA0			  FF35 94203E00					  PUSH	DWORD PTR DS:[3E2094]							 ; start of data
003C6DA6			  8D85 ECB3FFFF					  LEA	 EAX, DWORD PTR SS:[EBP+FFFFB3EC]			   ; buffer (stack)
003C6DAC			  50								 PUSH	EAX
003C6DAD			  E8 DE660000						CALL	003CD490									   ; JMP to msvcrt.memcpy
003C6DB2			  83C4 0C							ADD	 ESP, 0C
003C6DB5			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]					   ; length of secured section
003C6DBC			  8B0D 94203E00					  MOV	 ECX, DWORD PTR DS:[3E2094]						; start of data
003C6DC2			  03C8							   ADD	 ECX, EAX
003C6DC4			  890D 94203E00					  MOV	 DWORD PTR DS:[3E2094], ECX						; end of data to copy
003C6DCA			  83BD ECC3FFFF 00				   CMP	 DWORD PTR SS:[EBP-3C14], 0						; decrypt or not | 1 = decrypt
003C6DD1			  0F84 53010000					  JE	  003C6F2A
003C6DD7			  8B85 F0C3FFFF					  MOV	 EAX, DWORD PTR SS:[EBP-3C10]				   ; decryption key
003C6DDD			  8985 E0B3FFFF					  MOV	 DWORD PTR SS:[EBP+FFFFB3E0], EAX
003C6DE3			  8D85 ECB3FFFF					  LEA	 EAX, DWORD PTR SS:[EBP+FFFFB3EC]			   ; start of buffer (stack)
003C6DE9			  8985 E8B3FFFF					  MOV	 DWORD PTR SS:[EBP+FFFFB3E8], EAX			   ; pointer to buffer
003C6DEF			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]					   ; length of secured section
003C6DF6			  8B8D E8B3FFFF					  MOV	 ECX, DWORD PTR SS:[EBP+FFFFB3E8]			   ; start of buffer (stack)
003C6DFC			  03C8							   ADD	 ECX, EAX
003C6DFE			  898D E4B3FFFF					  MOV	 DWORD PTR SS:[EBP+FFFFB3E4], ECX			   ; end of buffer (stack)
003C6E04			  EB 0D							  JMP	 SHORT 003C6E13									; jump into decrypt loop
003C6E06			  8B85 E8B3FFFF					  MOV	 EAX, DWORD PTR SS:[EBP+FFFFB3E8]			   ; start of buffer
003C6E0C			  40								 INC	 EAX											   ; increment buffer pointer
003C6E0D			  8985 E8B3FFFF					  MOV	 DWORD PTR SS:[EBP+FFFFB3E8], EAX			   ; save buffer pointer
003C6E13			  8B85 E8B3FFFF					  MOV	 EAX, DWORD PTR SS:[EBP+FFFFB3E8]			   ; start of buffer (stack)
003C6E19			  3B85 E4B3FFFF					  CMP	 EAX, DWORD PTR SS:[EBP+FFFFB3E4]			   ; end of buffer stack
003C6E1F			  73 1F							  JNB	 SHORT 003C6E40									; branch if complete
003C6E21			  8D8D E0B3FFFF					  LEA	 ECX, DWORD PTR SS:[EBP+FFFFB3E0]			   ; address of decryption key
003C6E27			  E8 14A2FDFF						CALL	003A1040									   ; decrypt buffer
003C6E2C			  8B8D E8B3FFFF					  MOV	 ECX, DWORD PTR SS:[EBP+FFFFB3E8]			   ; start of buffer (stack)
003C6E32			  8A09							   MOV	 CL, BYTE PTR DS:[ECX]							 ; get encrypted byte
003C6E34			  32C8							   XOR	 CL, AL											; decrypt it
003C6E36			  8B85 E8B3FFFF					  MOV	 EAX, DWORD PTR SS:[EBP+FFFFB3E8]			   ; destination in buffer (stack)
003C6E3C			  8808							   MOV	 BYTE PTR DS:[EAX], CL							 ; store decrypted byte in buffer
003C6E3E			^ EB C6							  JMP	 SHORT 003C6E06									; loop
003C6E40			  8D85 DCB3FFFF					  LEA	 EAX, DWORD PTR SS:[EBP+FFFFB3DC]			   ; old protect
003C6E46			  50								 PUSH	EAX
003C6E47			  6A 04							  PUSH	4												 ; new protect
003C6E49			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]					   ; number of bytes
003C6E50			  50								 PUSH	EAX
003C6E51			  8B85 10DAFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-25F0]				   ; image base
003C6E57			  0385 ECC3FFFF					  ADD	 EAX, DWORD PTR SS:[EBP-3C14]				   ; offset of destination
003C6E5D			  50								 PUSH	EAX											   ; address of detination
003C6E5E			  FF15 24E13C00					  CALL	NEAR DWORD PTR DS:[3CE124]						; kernel32.VirtualProtect
003C6E64			  A0 64813D00						MOV	 AL, BYTE PTR DS:[3D8164]
003C6E69			  8885 BCACFFFF					  MOV	 BYTE PTR SS:[EBP+FFFFACBC], AL
003C6E6F			  0FB685 BCACFFFF					MOVZX   EAX, BYTE PTR SS:[EBP+FFFFACBC]
003C6E76			  85C0							   TEST	EAX, EAX
003C6E78			  74 64							  JE	  SHORT 003C6EDE									; seems to branch always003C6E7A			  6A 00							  PUSH	0												 ; no idea what this does
003C6E7C			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]
003C6E83			  50								 PUSH	EAX
003C6E84			  8B85 10DAFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-25F0]
003C6E8A			  0385 ECC3FFFF					  ADD	 EAX, DWORD PTR SS:[EBP-3C14]
003C6E90			  50								 PUSH	EAX
003C6E91			  E8 03110000						CALL	003C7F99
003C6E96			  83C4 0C							ADD	 ESP, 0C
003C6E99			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]
003C6EA0			  50								 PUSH	EAX
003C6EA1			  8D85 ECB3FFFF					  LEA	 EAX, DWORD PTR SS:[EBP+FFFFB3EC]
003C6EA7			  50								 PUSH	EAX
003C6EA8			  8B85 10DAFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-25F0]
003C6EAE			  0385 ECC3FFFF					  ADD	 EAX, DWORD PTR SS:[EBP-3C14]
003C6EB4			  50								 PUSH	EAX
003C6EB5			  E8 D6650000						CALL	003CD490									   ; JMP to msvcrt.memcpy
003C6EBA			  83C4 0C							ADD	 ESP, 0C
003C6EBD			  6A 01							  PUSH	1
003C6EBF			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]
003C6EC6			  50								 PUSH	EAX
003C6EC7			  8B85 10DAFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-25F0]
003C6ECD			  0385 ECC3FFFF					  ADD	 EAX, DWORD PTR SS:[EBP-3C14]
003C6ED3			  50								 PUSH	EAX
003C6ED4			  E8 C0100000						CALL	003C7F99
003C6ED9			  83C4 0C							ADD	 ESP, 0C
003C6EDC			  EB 24							  JMP	 SHORT 003C6F02003C6EDE			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]					   ; length of secured section
003C6EE5			  50								 PUSH	EAX
003C6EE6			  8D85 ECB3FFFF					  LEA	 EAX, DWORD PTR SS:[EBP+FFFFB3EC]			   ; start of buffer (stack)
003C6EEC			  50								 PUSH	EAX
003C6EED			  8B85 10DAFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-25F0]				   ; image base
003C6EF3			  0385 ECC3FFFF					  ADD	 EAX, DWORD PTR SS:[EBP-3C14]				   ; offset of destination
003C6EF9			  50								 PUSH	EAX											   ; address of destination
003C6EFA			  E8 91650000						CALL	003CD490									   ; JMP to msvcrt.memcpy
003C6EFF			  83C4 0C							ADD	 ESP, 0C
003C6F02			  8D85 DCB3FFFF					  LEA	 EAX, DWORD PTR SS:[EBP+FFFFB3DC]			   ; old protect
003C6F08			  50								 PUSH	EAX
003C6F09			  FFB5 DCB3FFFF					  PUSH	DWORD PTR SS:[EBP+FFFFB3DC]					   ; new protect
003C6F0F			  0FB785 F4C3FFFF					MOVZX   EAX, WORD PTR SS:[EBP-3C0C]					   ; length of secured section
003C6F16			  50								 PUSH	EAX
003C6F17			  8B85 10DAFFFF					  MOV	 EAX, DWORD PTR SS:[EBP-25F0]				   ; image base
003C6F1D			  0385 ECC3FFFF					  ADD	 EAX, DWORD PTR SS:[EBP-3C14]				   ; offset of destination
003C6F23			  50								 PUSH	EAX											   ; address of destination
003C6F24			  FF15 24E13C00					  CALL	NEAR DWORD PTR DS:[3CE124]						; kernel32.VirtualProtect
003C6F2A			^ E9 E1FDFFFF						JMP	 003C6D10									   ; end of secured sections (loop)

You can reach this code very easy, after breaking on VirtualProtect as normal to fix Import Redirection, scroll down and look for the call to VirtualProtect with the jmp immediately after; 003C6F2A in this example.

[XytroX]

thanks Fungus!

i've found it in the unpackme although it's slightly different ( XOR EAX,ECX instead of XOR CL,AL and so on...)

and i agree with you - i cant see a way to beat it without a valid key since brute-forcing can take a while... or two...

but it was interesting to have a look at it.

regards...

XytroX

[acidflash]

thanks Fungus!

i've found it in the unpackme although it's slightly different ( XOR EAX,ECX instead of XOR CL,AL and so on...)

and i agree with you - i cant see a way to beat it without a valid key since brute-forcing can take a while... or two...

but it was interesting to have a look at it.

regards...

XytroX

a valid key is now in edited into the first post. It's for TUTS4YOU. Read my first post.

-acid

[CondZero]

Secured Section Table (incomplete)

It has been stated on a post on the Arteam site regarding

this unpackme from *EvOlUtIoN* that by:

Notice that in this unpackme the only necessary thing is to inject 3 environment variables:

ArmServer

ALTUSERNAME

USERKEY

If you put something in those variables before EP, all go well, even if data are not correct.

any comments?

one question for you, acidflash, on the "Armadillo not detected" nag screen. Is this only

generated if the ALTUSERNAME variable is not found?

cheers

Edited July 20, 2008 by CondZero

[Fungus]

That is incorrect, and that tut by whynotbar is also incorrect...

As in his little video, Secured_A and Secured_B nag boxes should show up. These are contained in secured sections, which will only be written to the process memory if you enter the key he provided =]

[CondZero]

That is incorrect

Don't blame the messenger...

Have a look below from his fixed version:

Here my unpacked

cheers

Edited July 20, 2008 by Sonny27

[Fungus]

Hrm that is interesting indeed!

and which point do these EV's need to be injected? wonder how to do that, if so, then secured sections are defeatable without valid key, and that would be very very cool.

[acidflash]

Secured Section Table (incomplete)

It has been stated on a post on the Arteam site regarding

this unpackme from *EvOlUtIoN* that by:

Notice that in this unpackme the only necessary thing is to inject 3 environment variables:

ArmServer

ALTUSERNAME

USERKEY

If you put something in those variables before EP, all go well, even if data are not correct.

any comments?

one question for you, acidflash, on the "Armadillo not detected" nag screen. Is this only

generated if the ALTUSERNAME variable is not found?

cheers

Correct! nice job btw! A true artist with Armidillo

	
	if (!GetEnvironmentVariable("ALTUSERNAME", name, 255)) {		MessageBox(0, "Armadillo not detected!", "ERROR!", MB_OK|MB_ICONERROR);
		return false;	};

[CondZero]

and which point do these EV's need to be injected?

Preferably before the OEP using JMP (code cave) JMP back, although I'm sure it can be at any point

before they are referenced by GetEnvironmentVariableA ...

cheers

[stephenteh]

I don't think you can decrypt the secure section by setting ArmServer, ALTUSERNAME, USERKEY variables... My guess will be "EvOlUtIoN" register the unpackme using the key and unpacked it.